Security is very important to the FreeBSD Release Engineering Team. This manifests itself in several concrete areas:
All security incidents and fixes pass through the Security Team and are issued as publicly available Advisories. The Security Team has a reputation for quickly resolving known security issues. Full information regarding FreeBSD's security handling procedures and where to find security information is available at http://www.FreeBSD.org/security/.
One of the problems associated with Open Source software is the sheer volume of available applications. There are literally tens of thousands of Open Source application projects each with varying levels of responsiveness to security incidents. FreeBSD has met this challenge head-on with VuXML. All software shipped with the FreeBSD operating system as well any software available in the Ports Collection is compared to a database of known, unresolved vulnerabilities. An administrator can use the portaudit(1) utility to quickly determine if any software on a FreeBSD system is vulnerable, and if so, receive a description of the problem and an URL containing a more detailed vulnerability description.
FreeBSD also provides many mechanisms which allow an administrator to tune the operating system to meet his security needs:
The jail(8) utility allows an administrator to imprison a process; this is ideal for applications which don't provide their own chroot environment.
The chflags(1) utility augments the security provided by traditional Unix permissions. It can, for example, prevent specified files from being modified or deleted by even the superuser.
FreeBSD provides 3 built-in stateful, NAT-aware firewalls, allowing the flexibility of choosing the ruleset most appropriate to one's security needs.
The FreeBSD kernel is easily modified, allowing an administrator to strip out unneeded functionality. FreeBSD also supports kernel loadable modules and provides utilities to view, load and unload kernel modules.
The sysctl mechanism allows an administrator to view and change kernel state on-the-fly without requiring a reboot.